dnscrypt-proxy2: support nftables

author Julien Moutinho <julm+julm-nix@sourcephile.fr>

Wed, 17 Apr 2024 03:38:53 +0000 (05:38 +0200)

committer Julien Moutinho <julm+julm-nix@sourcephile.fr>

Wed, 17 Apr 2024 15:33:02 +0000 (17:33 +0200)
author Julien Moutinho <julm+julm-nix@sourcephile.fr>
Wed, 17 Apr 2024 03:38:53 +0000 (05:38 +0200)
committer Julien Moutinho <julm+julm-nix@sourcephile.fr>
Wed, 17 Apr 2024 15:33:02 +0000 (17:33 +0200)
diff --git a/hosts/aubergine/networking/nftables.nix b/hosts/aubergine/networking/nftables.nix

index e66cddae31f4b747b78585c1a29a65fea4c07910..a53ca5e1045b97d1f6b283e01332ee21a429f785 100644 (file)
--- a/hosts/aubergine/networking/nftables.nix
+++ b/hosts/aubergine/networking/nftables.nix
@@ -38,7 +38,6 @@ in
            udp dport 60000-61000 counter accept comment "Mosh"
            tcp dport { http, https } counter accept comment "HTTP"
            udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
-          meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
            tcp dport git counter accept comment "Git"
            tcp dport 5201 counter accept comment "iperf"
          }
diff --git a/hosts/courge/networking/nftables.nix b/hosts/courge/networking/nftables.nix

index 30927b0880989b2ad07f7207eb2b1a411c4a1264..869c5c79d14261b3145142d76c1b1851be0623af 100644 (file)
--- a/hosts/courge/networking/nftables.nix
+++ b/hosts/courge/networking/nftables.nix
@@ -48,7 +48,6 @@ in
            tcp dport { ssh, 2222, 20022 } counter accept comment "SSH"
            udp dport 60001-60100 counter accept comment "Mosh"
            udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
-          meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
            tcp dport { http, https } counter accept comment "HTTP"
            tcp dport git counter accept comment "Git"
            tcp dport imaps counter accept comment "IMAPS"
diff --git a/hosts/oignon/networking/nftables.nix b/hosts/oignon/networking/nftables.nix

index 8ebec85a0f4f3b8c5e0f5b22231d88edf19cfb72..1ec0a97b763588edfdc21b237ee2434305270921 100644 (file)
--- a/hosts/oignon/networking/nftables.nix
+++ b/hosts/oignon/networking/nftables.nix
@@ -45,7 +45,6 @@ in
            tcp dport { ssh, 2222, 20022 } counter accept comment "SSH"
            udp dport 60001-60100 counter accept comment "Mosh"
            udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
-          meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
            tcp dport { http, https } counter accept comment "HTTP"
            tcp dport git counter accept comment "Git"
            tcp dport imaps counter accept comment "IMAPS"
diff --git a/hosts/patate/networking/nftables.nix b/hosts/patate/networking/nftables.nix

index f8911698bc9ae05a2442e7743ad4f28a62b132f8..01bfd37b110dd84a2835641e1ce86f77c0c2ebc2 100644 (file)
--- a/hosts/patate/networking/nftables.nix
+++ b/hosts/patate/networking/nftables.nix
@@ -48,7 +48,6 @@ in
            tcp dport { ssh, 2222, 20022 } counter accept comment "SSH"
            udp dport 60001-60100 counter accept comment "Mosh"
            udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
-          meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
            tcp dport { http, https } counter accept comment "HTTP"
            tcp dport git counter accept comment "Git"
            tcp dport imaps counter accept comment "IMAPS"
diff --git a/nixos/profiles/dnscrypt-proxy2.nix b/nixos/profiles/dnscrypt-proxy2.nix

index dbc1e796e3b6c9c767df620a425eaf4a5d09c1ea..14f4e3ebb1ec6e7dee813da0c0d0ad36dee888fe 100644 (file)
--- a/nixos/profiles/dnscrypt-proxy2.nix
+++ b/nixos/profiles/dnscrypt-proxy2.nix
@@ -1,4 +1,5 @@
-{ lib, ... }:
+{ lib, config, ... }:
+let inherit (config) users; in
  with lib;
  {
    networking = {
@@ -60,4 +61,11 @@ with lib;
        use_syslog = true;
      };
    };
+  networking.nftables.ruleset = ''
+    table inet filter {
+      chain output-net {
+        meta l4proto { udp, tcp } th dport domain skuid ${users.users.dnscrypt-proxy2.name} counter accept comment "DHCP"
+      }
+    }
+  '';
  }
diff --git a/nixpkgs/patches.nix b/nixpkgs/patches.nix

index 950a2fc4efa4d63601e78fdaebfe6c3f0303ae9f..2611c0fe6d689bcc7131ed3ffcbb2910a6ac9617 100644 (file)
--- a/nixpkgs/patches.nix
+++ b/nixpkgs/patches.nix
@@ -9,6 +9,11 @@
      url = "https://github.com/NixOS/nixpkgs/pull/276014.diff";
      sha256 = "sha256-SUftUE++06TqRmK88VxQKiI9NaJs7XtC8I97ScQHF/Y=";
    }
+  {
+    meta.description = "dnscrypt-proxy2";
+    url = "https://github.com/NixOS/nixpkgs/pull/304810.diff";
+    sha256 = "sha256-YGQZibCIKz7YYS1bw2QNtHbJPWWV6nZqWwddWsAFK5Q=";
+  }
    /*
      {
      meta.description = "nixos/syncoid: enable N:N dataset mappings";
author	Julien Moutinho <julm+julm-nix@sourcephile.fr>
	Wed, 17 Apr 2024 03:38:53 +0000 (05:38 +0200)
committer	Julien Moutinho <julm+julm-nix@sourcephile.fr>
	Wed, 17 Apr 2024 15:33:02 +0000 (17:33 +0200)
hosts/aubergine/networking/nftables.nix		patch \| blob \| history
hosts/courge/networking/nftables.nix		patch \| blob \| history
hosts/oignon/networking/nftables.nix		patch \| blob \| history
hosts/patate/networking/nftables.nix		patch \| blob \| history
nixos/profiles/dnscrypt-proxy2.nix		patch \| blob \| history
nixpkgs/patches.nix		patch \| blob \| history